I don’t know if this is the right place to ask, but I’m currently looking for three members for BotS v7 coming 7th December in Tokyo.   if anyone interested, give me a reply to this post, or if anyone knows the right place for me to look for members, greatly appreciated if you’d let me know!

CrowdStrike Falcon FileVantage Technical Add-On https://splunkbase.splunk.com/app/7090 When the api return more than one event, the result in splunk is one event with the all jsons merged together making splunk json parsing to fail. For the python code it is seem to be what was wished with the join here  :         ~/etc/apps/TA_crowdstrike_falcon_filevantage/bin/TA_crowdstrike_falcon_filevantage_rh_crowdstrike_filevantage_json.py try: helper.log_info(f"{log_label}: Preparing to send: {len(event_data)} FileVantage events to Splunk index: {data_index}") --> events = '\n'.join(json.dumps(line) for line in event_data) filevantage_data = helper.new_event(source=helper.get_input_type(), index=helper.get_output_index(), sourcetype=helper.get_sourcetype(), data=events) ew.write_event(filevantage_data) helper.log_info(f"{log_label}: Data for {len(event_data)} events from FileVantage successfully pushed to Splunk index: {data_index}")           So it is important to make a proper splunk props.conf to un-split events with a LINE_BREAKER :           splunk@ncesplkpoc01:~/etc/apps/TA_crowdstrike_falcon_filevantage$ cat local/props.conf [crowdstrike:filevantage:json] SHOULD_LINEMERGE = false LINE_BREAKER = \n NO_BINARY_CHECK = true            

Hello, I wonder if there are plans to extend the MITRE ATTACK Framework coverage for ICS? How could someone build-upon what this SSE brings in features to add additional Framework elements? Any step-by-step guide that could be shared? Thanks, Mihaly

I have a saved search with 'n' number of results and I need to setup an alert mail for the results by creating an alert. If I use the |map "savedsearch", the result is no events found. But there is event in the result of the saved search. Please help me on this

Hi, Once a month we receive a file via email that we manually upload to Splunk as a lookup CSV file.  The current process is to delete the old file and to upload the new one, keeping the same file name. The existing reports use this file without any issues. There is now a requirement to compare the current file with the previous version and highlight if any values have been added or removed (the columns stay the same). Initially I wanted to use the "inputlookup" and "collect" commands to output the data into an index and then build a search to compare the data based on the ingest time, effectively comparing the 2 files. However, I`m getting the following error: "The lookup table 'test.csv' requires a .csv or KV store lookup definition." The file actually exists and it`s located in "/opt/splunk/etc/apps/test_app/lookups/test.csv" The lookup definition also exists: "test_LD" I suspect this is caused by the size of the lookup file (approx. 36 MB) and wanted to ask for suggestions or workarounds ? Many thanks.

Hi  I'm trying to configure scs4 using the following documentation Quickstart Guide - Splunk Connect for Syslog . But when I run the sudo systemctl start sc4s command, I get errors during initialization: Please do you have any idea what's going on ? Knowing also that I've configured the podman http-proxy.conf file to add my proxy.  

How to store logs in minIO (on-premises) from Splunk. I created bucket named splunk. I successfully mc cp test.txt s3/splunk-bucket but splunk can't loads files into bucket. My indexes.conf file: [smartstore] homePath = $SPLUNK_DB/smartstoredb/db coldPath = $SPLUNK_DB/smartstoredb/colddb thawedPath = $SPLUNK_DB/smartstoredb/thaweddb remotePath = volume:s3 [volume:s3] storageType = remote path = s3://splunk remote.s3.access_key = minioadmin remote.s3.secret_key = minioadmin remote.s3.supports_versioning = false remote.s3.endpoint = http://10.10.10.1:9000 minIO config.json config.json { "version": "10", "aliases": { "gcs": { "url": "https://storage.googleapis.com", "accessKey": "YOUR-ACCESS-KEY-HERE", "secretKey": "YOUR-SECRET-KEY-HERE", "api": "S3v2", "path": "dns" }, "local": { "url": "http://10.10.10.1:9000", "accessKey": "minioadmin", "secretKey": "minioadmin", "api": "s3v4", "path": "auto" }, "play": { "url": "http://10.10.10.1:9000", "accessKey": "minioadmin", "secretKey": "minioadmin", "api": "S3v4", "path": "auto" }, "s3": { "url": "http://10.10.10.1:9000", "accessKey": "minioadmin", "secretKey": "minioadmin", "api": "s3v4", "path": "auto" } } } ps: I have 3 indexers and cluster master

Cry for help！ I installed an add on in Splunk, but he can't open it normally, only a white screen appears.My Splunk version is 9.0.4. How should I solve this problem？ Thank all! Here is the  section error logs in web_services.log     2023-12-01 10:16:41,411 ERROR [65694209637fbde458fdd0] startup:112 - Unable to read in product version information; [HTTP 401] Client is not authenticated 2023-12-01 10:16:41,412 INFO [65694209637fbde458fdd0] startup:139 - Splunk appserver version=UNKNOWN_VERSION build=000 isFree=False isTrial=True 2023-12-01 10:16:41,413 INFO [65694209637fbde458fdd0] i18n_catalog:46 - i18ncatalog: translations_retrieved=0.0004456043243408203 etag_calculated=4.3392181396484375e-05 overall=0.0004889965057373047 2023-12-01 10:16:41,413 ERROR [65694209647fbde459b3d0] startup:112 - Unable to read in product version information; [HTTP 401] Client is not authenticated 2023-12-01 10:16:41,415 INFO [65694209647fbde459b3d0] startup:139 - Splunk appserver version=UNKNOWN_VERSION build=000 isFree=False isTrial=True 2023-12-01 10:16:41,416 INFO [65694209647fbde459b3d0] _cplogging:216 - [01/Dec/2023:10:16:41] ENGINE Started monitor thread 'Monitor'. 2023-12-01 10:16:41,416 INFO [65694209647fbde459b3d0] root:168 - ENGINE: Started monitor thread 'Monitor'. 2023-12-01 10:16:41,427 ERROR [65694209647fbde459b3d0] config:149 - [HTTP 401] Client is not authenticated Traceback (most recent call last): File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/config.py", line 147, in getServerZoneInfoNoMem return times.getServerZoneinfo() File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/times.py", line 163, in getServerZoneinfo serverStatus, serverResp = splunk.rest.simpleRequest('/search/timeparser/tz', sessionKey=sessionKey) File "/opt/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 625, in simpleRequest raise splunk.AuthenticationFailed splunk.AuthenticationFailed: [HTTP 401] Client is not authenticated 2023-12-01 10:16:45,150 ERROR [6569420d237fbde4dc8290] startup:112 - Unable to read in product version information; [HTTP 401] Client is not authenticated 2023-12-01 10:16:45,151 INFO [6569420d237fbde4dc8290] startup:139 - Splunk appserver version=UNKNOWN_VERSION build=000 isFree=False isTrial=True 2023-12-01 10:16:45,159 ERROR [6569420d237fbde4dc8290] config:149 - [HTTP 401] Client is not authenticated Traceback (most recent call last): File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/config.py", line 147, in getServerZoneInfoNoMem return times.getServerZoneinfo() File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/times.py", line 163, in getServerZoneinfo serverStatus, serverResp = splunk.rest.simpleRequest('/search/timeparser/tz', sessionKey=sessionKey) File "/opt/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 625, in simpleRequest raise splunk.AuthenticationFailed splunk.AuthenticationFailed: [HTTP 401] Client is not authenticated         2023-12-01 10:36:53,327 INFO [656946c5357fdfe823efd0] error:321 - Masking the original 404 message: 'Nothing matches the given URI' with 'Page not found!' for security reasons 2023-12-01 10:36:53,329 INFO [656946c5347fdfe82389d0] error:321 - Masking the original 404 message: 'Nothing matches the given URI' with 'Page not found!' for security reasons 2023-12-01 10:36:53,342 INFO [656946c5357fdfe8216b90] startup:139 - Splunk appserver version=9.0.4 build=de405f4a7979 isFree=False isTrial=False 2023-12-01 10:36:53,430 INFO [656946c56c7fdfe818afd0] error:321 - Masking the original 404 message: 'Nothing matches the given URI' with 'Page not found!' for security reasons 2023-12-01 10:36:54,307 INFO [656946c64b7fdfe00b3e50] startup:139 - Splunk appserver version=9.0.4 build=de405f4a7979 isFree=False isTrial=False 2023-12-01 10:36:54,307 ERROR [656946c64b7fdfe00b3e50] utility:58 - name=javascript, class=Splunk.Error, lineNumber=3845, message=Uncaught TypeError: Cannot set properties of undefined (setting 'loadParams'), fileName=https://10.85.182.69:8000/zh-CN/manager/search/apps/local?msgid=5419270.9466664794685945 2023-12-01 10:36:54,307 ERROR [656946c64b7fdfe00b3e50] utility:58 - name=javascript, class=Splunk.Error, lineNumber=5, message=Uncaught TypeError: Cannot read properties of undefined (reading 'regional'), fileName=https://10.85.182.69:8000/zh-CN/static/@0775A864B66952FFC07DAC805E2AAC735374D88D0EA5463E9E4CF36CF62A4344.2/js/common.min.js         2023-12-01 10:37:37,961 INFO [656946f1f27fdfe8cddb50] error:321 - Masking the original 404 message: 'The path '/zh-CN/static/@0775A864B66952FFC07DAC805E2AAC735374D88D0EA5463E9E4CF36CF62A4344.2:1/app/qianxin-threat-intelligence-app/js/build/0.js' was not found.' with 'Page not found!' for security reasons 2023-12-01 10:37:37,963 INFO [656946f1f37fdfe80cb390] error:321 - Masking the original 404 message: 'The path '/zh-CN/static/@0775A864B66952FFC07DAC805E2AAC735374D88D0EA5463E9E4CF36CF62A4344.2:1/app/qianxin-threat-intelligence-app/js/build/3.js' was not found.' with 'Page not found!' for security reasons 2023-12-01 10:37:37,964 INFO [656946f1f37fdfe80b8c90] error:321 - Masking the original 404 message: 'The path '/zh-CN/static/@0775A864B66952FFC07DAC805E2AAC735374D88D0EA5463E9E4CF36CF62A4344.2:1/app/qianxin-threat-intelligence-app/js/build/1.js' was not found.' with 'Page not found!' for security reasons 2023-12-01 10:37:37,968 INFO [656946f1f57fdfe8c9a1d0] error:321 - Masking the original 404 message: 'The path '/zh-CN/static/@0775A864B66952FFC07DAC805E2AAC735374D88D0EA5463E9E4CF36CF62A4344.2:1/app/qianxin-threat-intelligence-app/js/build/4.js' was not found.' with 'Page not found!' for security reasons 2023-12-01 10:37:38,388 INFO [656946f2607fdfbc5dbad0] error:321 - Masking the original 404 message: 'The path '/zh-CN/static/@0775A864B66952FFC07DAC805E2AAC735374D88D0EA5463E9E4CF36CF62A4344.2:1/app/qianxin-threat-intelligence-app/js/build/5.js' was not found.' with 'Page not found!' for security reasons 2023-12-01 10:37:39,706 INFO [656946f3b27fdfe05e77d0] error:321 - Masking the original 404 message: 'The path '/zh-CN/static/@0775A864B66952FFC07DAC805E2AAC735374D88D0EA5463E9E4CF36CF62A4344.2:1/app/qianxin-threat-intelligence-app/js/build/1.js' was not found.' with 'Page not found!' for security reasons 2023-12-01 10:37:39,707 INFO [656946f3b27fdfbc533750] error:321 - Masking the original 404 message: 'The path '/zh-CN/static/@0775A864B66952FFC07DAC805E2AAC735374D88D0EA5463E9E4CF36CF62A4344.2:1/app/qianxin-threat-intelligence-app/js/build/5.js' was not found.' with 'Page not found!' for security reasons 2023-12-01 10:37:39,709 INFO [656946f3b17fdfe008eed0] error:321 - Masking the original 404 message: 'The path '/zh-CN/static/@0775A864B66952FFC07DAC805E2AAC735374D88D0EA5463E9E4CF36CF62A4344.2:1/app/qianxin-threat-intelligence-app/js/build/0.js' was not found.' with 'Page not found!' for security reasons         2023-12-01 10:59:07,462 INFO [65694bfb747fdfbc38f550] error:321 - Masking the original 404 message: 'The path '/en-US/static/app/search/$token_image_url$' was not found.' with 'Page not found!' for security reasons 2023-12-01 11:00:14,001 INFO [65694c3df97fdfbc5ccc50] startup:139 - Splunk appserver version=9.0.4 build=de405f4a7979 isFree=False isTrial=False 2023-12-01 11:00:14,072 INFO [65694c3df97fdfbc5ccc50] startup:139 - Splunk appserver version=9.0.4 build=de405f4a7979 isFree=False isTrial=False 2023-12-01 11:00:14,175 INFO [65694c3df97fdfbc5ccc50] cached:163 - /opt/splunk/etc/apps/search/appserver/static/setup.json 2023-12-01 11:00:14,437 INFO [65694c3df97fdfbc5ccc50] view:1137 - PERF - viewType=fastpath viewTime=0.2445s templateTime=0.0666s 2023-12-01 11:00:14,535 INFO [65694c3e807fdfe071d9d0] startup:139 - Splunk appserver version=9.0.4 build=de405f4a7979 isFree=False isTrial=False 2023-12-01 11:00:14,610 INFO [65694c3e957fdfe039f090] startup:139 - Splunk appserver version=9.0.4 build=de405f4a7979 isFree=False isTrial=False 2023-12-01 11:00:16,799 INFO [65694c40ca7fdfbc56c4d0] error:321 - Masking the original 404 message: 'The path '/en-US/static/app/search/$token_image_url$' was not found.' with 'Page not found!' for security reasons     such as this:     What problem caused the white screen to occur？ If you could help me, I would be extremely grateful！